Description
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.

Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect packet validation in FreeBSD's packet filter (pf) allows unbounded recursion when parsing SCTP chunk parameters. Crafting a malicious SCTP packet can trigger a stack overflow, causing the kernel to panic. The failure is a denial‑of‑service condition that affects system stability without directly leaking data or code execution. The weakness corresponds to uncontrolled recursion (CWE‑674) and out‑of‑bounds write (CWE‑791).

Affected Systems

This flaw concerns any FreeBSD machine where pf is enabled and processes traffic, regardless of the firewall ruleset. No specific version range is supplied in the advisory, so all deployments that use the affected pf code are potentially vulnerable until the security release is applied.

Risk and Exploitability

The vulnerability can be triggered remotely by an attacker who can send SCTP packets to the target. Although the exploit does not provide direct code execution, the induced kernel panic effectively brings the node down, which may allow a persistent denial‑of‑service attack. The EPSS score is < 1% and the flaw is not listed in the CISA KEV catalog, while the CVSS score of 7.5 indicates a medium‑to‑high severity. Combined with the lack of mitigating controls, this suggests a significant risk when the affected system is exposed to untrusted SCTP traffic.

Generated by OpenCVE AI on May 1, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that includes the pf patch referenced in the advisory.
  • If the system cannot be updated immediately, temporarily disable pf or block SCTP traffic to reduce exposure.
  • Continuously monitor system logs for kernel panic events and apply additional isolation measures as needed.

Generated by OpenCVE AI on May 1, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:beta3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 30 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
Title pf can overflow the stack parsing crafted SCTP packets
Weaknesses CWE-674
CWE-791
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-30T13:09:07.760Z

Reserved: 2026-04-27T06:03:58.316Z

Link: CVE-2026-7164

cve-icon Vulnrichment

Updated: 2026-04-30T13:09:03.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T08:16:07.653

Modified: 2026-05-01T12:46:59.050

Link: CVE-2026-7164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses